Add XMSS/XMSSMT wolfCrypt hooks.

[philljj]

Description

This is a companion PR to:

• Example for xmss hooks support. wolfssl-examples#403
• Add XMSS/XMSS^MT hooks documentation. documentation#110

Adds XMSS/XMSS^MT hooks to wolfCrypt. This is achieved by integration with a patched xmss-reference.

This PR adds:

• XMSS/XMSS^MT hooks support, built with --enable-xmss --with-libxmss=<path to patched xmss src>.
• XMSS/XMSS^MT verify only build, enabled with --enable-xmss=verify-only instead.
• Added xmss tests to wolfcrypt/test/test.c for both normal and verify-only builds.
• Added xmss benchmark to wolfcrypt/benchmark/benchmark.c.
• Updated INSTALL item with instructions for building xmss-hooks (see item 20: 20. Building with xmss-reference lib for XMSS/XMSS^MT support [EXPERIMENTAL]).

Supported xmss parameters

This supports all SHA256 parameter sets from RFC 8391 and NIST SP 800-208.

A table showing the XMSS parameter sets was added in the documentation PR here:

• wolfSSL/src/appendix07.md#supported-parameters-1
• Add XMSS/XMSS^MT hooks documentation. documentation#110

Also, see wolfssl/wolfcrypt/xmss.h for additional info.

Building

See item 20 of the INSTALL file:

20. Building with xmss-reference lib for XMSS/XMSS^MT support [EXPERIMENTAL]

    Experimental support for XMSS/XMSS^MT has been achieved by integration
    with the xmss-reference implementation from RFC 8391 (XMSS: eXtended
    Merkle Signature Scheme). We support a patched version of xmss-reference
    based on this git commit
    ...

Documentation

Opened a XMSS/XMSS^MT documentation pull request:

• Add XMSS/XMSS^MT hooks documentation. documentation#110

Benchmark

The patch updates xmss-reference to use wolfCrypt SHA256 for hashing, and benefits from asm speedups. See the documentation PR for full x86_64 and aarch64 benchmarking.

Benchmark with --enable-intelasm:

$./wolfcrypt/benchmark/benchmark -xmss_xmssmt
------------------------------------------------------------------------------
 wolfSSL version 5.6.3
------------------------------------------------------------------------------
Math: 	Multi-Precision: Wolf(SP) word-size=64 bits=4096 sp_int.c
wolfCrypt Benchmark (block bytes 1048576, min 1.0 sec each)
XMSS-SHA2_10_256  2500     sign       300 ops took 1.650 sec, avg 5.501 ms, 181.774 ops/sec
XMSS-SHA2_10_256  2500   verify      1600 ops took 1.035 sec, avg 0.647 ms, 1545.452 ops/sec
XMSSMT-SHA2_20/2_256  4963     sign       200 ops took 1.152 sec, avg 5.760 ms, 173.617 ops/sec
XMSSMT-SHA2_20/2_256  4963   verify       900 ops took 1.099 sec, avg 1.222 ms, 818.595 ops/sec
XMSSMT-SHA2_20/4_256  9251     sign       300 ops took 1.151 sec, avg 3.836 ms, 260.674 ops/sec
XMSSMT-SHA2_20/4_256  9251   verify       500 ops took 1.239 sec, avg 2.478 ms, 403.509 ops/sec
XMSSMT-SHA2_40/4_256  9893     sign       200 ops took 1.343 sec, avg 6.715 ms, 148.916 ops/sec
XMSSMT-SHA2_40/4_256  9893   verify       500 ops took 1.155 sec, avg 2.309 ms, 433.027 ops/sec
XMSSMT-SHA2_40/8_256 18469     sign       300 ops took 1.119 sec, avg 3.729 ms, 268.175 ops/sec
XMSSMT-SHA2_40/8_256 18469   verify       300 ops took 1.494 sec, avg 4.980 ms, 200.801 ops/sec
XMSSMT-SHA2_60/6_256 14824     sign       200 ops took 1.473 sec, avg 7.364 ms, 135.796 ops/sec
XMSSMT-SHA2_60/6_256 14824   verify       300 ops took 1.107 sec, avg 3.690 ms, 271.002 ops/sec
XMSSMT-SHA2_60/12_256 27688     sign       300 ops took 1.086 sec, avg 3.619 ms, 276.343 ops/sec
XMSSMT-SHA2_60/12_256 27688   verify       200 ops took 1.464 sec, avg 7.321 ms, 136.585 ops/sec
Benchmark complete

Benchmark without intelasm:

$./wolfcrypt/benchmark/benchmark -xmss_xmssmt
------------------------------------------------------------------------------
 wolfSSL version 5.6.3
------------------------------------------------------------------------------
Math: 	Multi-Precision: Wolf(SP) word-size=64 bits=4096 sp_int.c
wolfCrypt Benchmark (block bytes 1048576, min 1.0 sec each)
XMSS-SHA2_10_256  2500     sign       200 ops took 1.317 sec, avg 6.586 ms, 151.843 ops/sec
XMSS-SHA2_10_256  2500   verify      1100 ops took 1.037 sec, avg 0.943 ms, 1060.798 ops/sec
XMSSMT-SHA2_20/2_256  4963     sign       200 ops took 1.669 sec, avg 8.344 ms, 119.854 ops/sec
XMSSMT-SHA2_20/2_256  4963   verify       600 ops took 1.114 sec, avg 1.857 ms, 538.545 ops/sec
XMSSMT-SHA2_20/4_256  9251     sign       200 ops took 1.103 sec, avg 5.515 ms, 181.319 ops/sec
XMSSMT-SHA2_20/4_256  9251   verify       300 ops took 1.039 sec, avg 3.464 ms, 288.694 ops/sec
XMSSMT-SHA2_40/4_256  9893     sign       200 ops took 1.945 sec, avg 9.723 ms, 102.853 ops/sec
XMSSMT-SHA2_40/4_256  9893   verify       300 ops took 1.095 sec, avg 3.651 ms, 273.872 ops/sec
XMSSMT-SHA2_40/8_256 18469     sign       200 ops took 1.100 sec, avg 5.500 ms, 181.826 ops/sec
XMSSMT-SHA2_40/8_256 18469   verify       200 ops took 1.391 sec, avg 6.956 ms, 143.768 ops/sec
XMSSMT-SHA2_60/6_256 14824     sign       100 ops took 1.092 sec, avg 10.924 ms, 91.544 ops/sec
XMSSMT-SHA2_60/6_256 14824   verify       200 ops took 1.084 sec, avg 5.421 ms, 184.459 ops/sec
XMSSMT-SHA2_60/12_256 27688     sign       200 ops took 1.136 sec, avg 5.679 ms, 176.102 ops/sec
XMSSMT-SHA2_60/12_256 27688   verify       100 ops took 1.096 sec, avg 10.958 ms, 91.258 ops/sec
Benchmark complete

[philljj]

The way I'm building xmss with wolfcrypt is breaking our dependency tracking logic. I will fix it to be more like LMS.

[anhu]

Note that this patch changes xmss-reference to use wolfCrypt SHA256 hashing, and ....

[anhu]

first "and" should be removed.

[anhu]

wait...if xmss uses wolfssl for sha, then why doesn't it need to have wolfSSL around first? Is it done by registering callbacks? If so, just a short sentence about how its done would be nice.

[philljj]

Correct, by registering a sha callback. Good point, I'll update these comments.

[anhu]

N in note should be capitalized.

[anhu]

In comments I think all instances of "oid" should be "OID" as its an acronym.

[anhu]

Xmss should be XMSS in comments. (all caps) here and in other places.

[anhu]

This looks good so far but I noticed it depends on samples repo. Can you assign me as review on that as well?

[anhu]

Took it for a spin and got

*** Warning: Linking the shared library src/libwolfssl.la against the
*** static library /home/anthony/code/xmss/xmss-reference/xmss_lib.a is not portable!

Not sure if this is okay or not.

[philljj]

Took it for a spin and got

*** Warning: Linking the shared library src/libwolfssl.la against the
*** static library /home/anthony/code/xmss/xmss-reference/xmss_lib.a is not portable!

Not sure if this is okay or not.

Correct, this and the LMS --with-liblms= will give this warning. The reason is we are giving a specific path to link the static lib, rather than a generic $(PATH) that would be portable across systems. We could require users install the patched xmss-reference to /usr/local, but these projects do not have install rules and I haven't patched them to be added yet. IMO this is fine for the purposes of demonstrating a test integration.

The wolfBoot LMS and XMSS builds do not have this warning, as they do not build libwolfssl, but rather directly link against the wolfcrypt objects needed.